PKINIT with PA-PK-AS-REQ_OLD fails with ASN1_CHECK_TLEN:wrong tag
Jacques Henry
caramba696 at gmail.com
Thu Feb 2 06:04:44 EST 2017
>
> 1. The old draft9 support isn't intended to be used as a wrong-PIN
> fallback; it is only there for interoperability with old PKINIT
> implementations. It might be time to remove that support, since Windows
> Server 2003 hit the end of its extended support life in 2015.
>
When talking to the draft9 are you referring to this?
https://tools.ietf.org/html/draft-ietf-cat-kerberos-pk-init-09
Indeed, I don't understand this fallback for a wrong PIN.
We have mainly 2008R2 and 2012R2 and soon 2016.
Keeping a Server 2000/2003 compatibility is another debate.
> 2. We can't decode the Windows PKINIT reply due to some ASN.1 tagging
> issue.
>
> To debug the second problem, I would need a packet capture of the AS-REP
> from the Windows KDC. But it's also not likely to be a high priority
> for me because of the first issue, so if it isn't convenient to get that
> information, it probably isn't worth a lot of effort.
>
You would need the raw AS-REP packet from Wireshark?
I have activated the DEBUG_ASN1 flag so I get up with the following file:
/tmp/client_received_pkcs7_signeddata
Indeed OpenSSL complains about this file
# openssl pkcs7 -in /tmp/client_received_pkcs7_signeddata -inform der
unable to load PKCS7 object
140362212865696:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1338:
140362212865696:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:390:Type=PKCS7
using the asn1parse command print the structure but I don't want to
copy/paste all the output here.
Thanks.
More information about the Kerberos
mailing list